Thanks Rob, that worked. Still on the subject of certs, any idea how to solve this error:
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. I see that in the gui when querying hosts as well as from cli when I ipa-show or ipa-find <http://www.placeiq.com/> <http://www.placeiq.com/> <http://www.placeiq.com/> Jim Richard <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://twitter.com/placeiq> <https://www.facebook.com/PlaceIQ> <https://www.facebook.com/PlaceIQ> <https://www.linkedin.com/company/placeiq> <https://www.linkedin.com/company/placeiq> SYSTEM ADMINISTRATOR III (646) 338-8905 <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/> <http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> > On Sep 28, 2016, at 7:44 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > > Jim Richard wrote: >> I have a master with apparently correct, non expired certs but when I >> create a new replica master I end up with expired certs. >> How is this possible, why and of course, how do I fix? > > I assume you are running IPA v3.0.0? > > The problem is that the root CA stash isn't updated when a replica file is > prepared in that version (fixed in 3.3 IIRC). You can do this manually with > something like: > > # PKCS12Export -d /var/lib/pki-ca/alias -p /root/dbpass -w /root/dmpass -o > /root/cacert.p12 > > where /root/dmpass is a file that contains the Directory Manager password. > > Then rerun ipa-replica-prepare and things should work. > > You can look at the certs in /root/cacert.p12 util pk12util to see the change. > > rob > >> >> first set is the original master and the second is the certs I get on >> the new replica >> >> [root@sso-110:(NYM) nssdb]$ getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20140923213643': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile >> .txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-110.nym1.placeiq.net >> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-08-28 10:36:04 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA >> track: yes >> auto-renew: yes >> Request ID '20140923213732': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-110.nym1.placeiq.net >> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-08-06 10:36:02 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20140923213814': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PLACEIQ-NET >> /pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-110.nym1.placeiq.net >> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-08-28 10:36:04 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> PLACEIQ-NET >> track: yes >> auto-renew: yes >> Request ID '20140923213856': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-110.nym1.placeiq.net >> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-08-28 10:36:04 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20160119021025': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=CA Audit,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2017-10-26 04:38:19 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160119021038': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=OCSP Subsystem,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2017-10-26 04:37:19 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160119021055': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=CA Subsystem,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2017-10-26 04:37:19 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160119021104': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=IPA RA,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2017-10-26 04:37:19 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> The new replica: >> >> [root@sso-108:(NYM) ~]$ getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20160927191253': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile >> .txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-108.nym1.placeiq.net >> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-09-28 19:10:33 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA >> track: yes >> auto-renew: yes >> Request ID '20160927191452': >> status: CA_WORKING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-retrieve-agent-submit >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=CA Audit,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2015-12-03 21:57:56 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160927191453': >> status: CA_WORKING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-retrieve-agent-submit >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=OCSP Subsystem,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2015-12-03 21:57:56 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160927191454': >> status: CA_WORKING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-retrieve-agent-submit >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=CA Subsystem,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2015-12-03 21:57:56 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160927191455': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-108.nym1.placeiq.net >> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-09-17 19:14:36 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20160927191540': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PLACEIQ-NET >> /pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-108.nym1.placeiq.net >> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-09-28 19:10:32 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> PLACEIQ-NET >> track: yes >> auto-renew: yes >> Request ID '20160927192114': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=sso-108.nym1.placeiq.net >> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2018-09-28 19:10:34 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20160927192146': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-retrieve-agent-submit >> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net> >> subject: CN=IPA RA,O=PLACEIQ.NET <http://placeiq.net> >> expires: 2017-10-26 04:37:19 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> >> >> >> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/> >> Jim Richard >> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq> >> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ> >> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq> >> SYSTEM ADMINISTRATOR III >> /(646) 338-8905 / >> >> >> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a! > dvertising > -initiative-nai-as-100th-member/>PlaceIQ:Location >> Data Accuracy >> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP> >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project